Is there any way to restrict the use of VPN APPs by RouterOS?
All DNS filtering in this case ends up being circumvented with this security hole.
-
-
joegoldman
Forum Veteran
- Posts: 767
- Joined:
Re: VPN APPs block on Mikrotik
You can block certain ports, but then SSL VPNs use 443, certain destination addresses but have to maintain an ever changing list etc.
It is a game of whack-a-mole. There's no overall solution without beefy DPI and mitm decryption.
It is a game of whack-a-mole. There's no overall solution without beefy DPI and mitm decryption.
Re: VPN APPs block on Mikrotik
@marcelofares your battle against something that you do not want make available on your network is lost at the start,
if you do not have the full and unique control over all vevery single device and cable...
if you do not have the full and unique control over all vevery single device and cable...
-
-
marcelofares
Member Candidate
- Posts: 129
- Joined:
Re: VPN APPs block on Mikrotik
@marcelofares your battle against something that you do not want make available on your network is lost at the start,
if you do not have the full and unique control over all vevery single device and cable...
I'm just trying to improve the security controls in my network. I'm referring to a public HOTSPOT network in this case, where I don't have control of the client's device, but I would like to restrict the network level (protocol) if possible, so I asked if there is any way through RouterOS.
Re: VPN APPs block on Mikrotik
Not depend on RouterOS, but on how internet works.
Ever day are born dozen of methods for circumvent blocks.
If the users can connect to hotspot, why matter for you the security of user's device that not are under your control?
Ever day are born dozen of methods for circumvent blocks.
If the users can connect to hotspot, why matter for you the security of user's device that not are under your control?
-
-
joegoldman
Forum Veteran
- Posts: 767
- Joined:
Re: VPN APPs block on Mikrotik
blocking VPN on public hotspot is also a bad idea - people use VPN's for legitimate reasons when using public hotspots, for things like banking etc.
Best solution if you are afraid of people using too much of the hotspot - is time/data based limits or some kind of PCQ config so one person can't netflix everyone else off the network.
Best solution if you are afraid of people using too much of the hotspot - is time/data based limits or some kind of PCQ config so one person can't netflix everyone else off the network.
-
-
marcelofares
Member Candidate
- Posts: 129
- Joined:
Re: VPN APPs block on Mikrotik
Because the network of these establishments is in my custody, therefore, who defines the access and blocking rules is the company, regardless of whether it is a HOTSPOT network or not.Not depend on RouterOS, but on how internet works.
Ever day are born dozen of methods for circumvent blocks.
If the users can connect to hotspot, why matter for you the security of user's device that not are under your control?
-
-
joegoldman
Forum Veteran
- Posts: 767
- Joined:
Re: VPN APPs block on Mikrotik
As a network professional, you have to realise that there are compromises.
Restrict only devices you have full control of
OR;
understand every block has a workaround.
This is a FEATURE. Not a PROBLEM. The same things that help you control devices are what essentially protects private devices. You can't have the best of both worlds. At some point it becomes a people issue, not a technology issue - I say it to many clients, want me to block EVERY SINGLE DOWNLOAD OR STREAMING METHOD? Either block everything or put all devices under my control, or if you dont want that level of cost or inflexibility, start reprimanding those employee's that do it once found out, otherwise they will continue doing it. Staff behaviour (yes I know your situation may not be employees) is a HR issue not a technology issue.
Restrict only devices you have full control of
OR;
understand every block has a workaround.
This is a FEATURE. Not a PROBLEM. The same things that help you control devices are what essentially protects private devices. You can't have the best of both worlds. At some point it becomes a people issue, not a technology issue - I say it to many clients, want me to block EVERY SINGLE DOWNLOAD OR STREAMING METHOD? Either block everything or put all devices under my control, or if you dont want that level of cost or inflexibility, start reprimanding those employee's that do it once found out, otherwise they will continue doing it. Staff behaviour (yes I know your situation may not be employees) is a HR issue not a technology issue.
Re: VPN APPs block on Mikrotik
You have to understand that putting "people like you" out of their position to control what happens on the network has been the primary focus of internet development over the past years.Because the network of these establishments is in my custody, therefore, who defines the access and blocking rules is the company, regardless of whether it is a HOTSPOT network or not.
People want to protect their rights and privacy against intervention by network managers, and the internet has adapted to that.
It is your decision whether you want to provide WiFi access and let the users determine what they do with it, or keep control and install no open WiFi.
About the only thing you can still control is the bandwith/data amount used by each user. Not what they use it for.
-
-
marcelofares
Member Candidate
- Posts: 129
- Joined:
Re: VPN APPs block on Mikrotik
Well, I disagree with some comments.
From a Cybersecurity point of view, the more protections we have in our structures, better it will be for all of us, because, fewer problems we will have to solve. I also think that if we have custody of the company's network, regardless of whether it is an open network (HOTSPOT) or a server network, the hardening rules are created and defined by us. I also understand that it is humanly impossible for us to have a high degree of security at all perimeters, but as an specialist in this area, I know that, more layers of protection we have, will be better.
In the structure where I manage this network HOSTPOT, I have an NGF above RouteOS, and with the specific application blocking rules, I get a little more security in many points, not only in VPN APPS, but also in protocols, software and P2P ( TORRENT).
My purpose of this topic was to know if this application control that we find in an NGF, we can have inside a RouterOS.
From a Cybersecurity point of view, the more protections we have in our structures, better it will be for all of us, because, fewer problems we will have to solve. I also think that if we have custody of the company's network, regardless of whether it is an open network (HOTSPOT) or a server network, the hardening rules are created and defined by us. I also understand that it is humanly impossible for us to have a high degree of security at all perimeters, but as an specialist in this area, I know that, more layers of protection we have, will be better.
In the structure where I manage this network HOSTPOT, I have an NGF above RouteOS, and with the specific application blocking rules, I get a little more security in many points, not only in VPN APPS, but also in protocols, software and P2P ( TORRENT).
My purpose of this topic was to know if this application control that we find in an NGF, we can have inside a RouterOS.
You do not have the required permissions to view the files attached to this post.
Re: VPN APPs block on Mikrotik
We cannot. RouterOS was not built to do that, and the hardware of many of the routers is not powerful enough to do it.
Re: VPN APPs block on Mikrotik
Well, I disagree with some comments.
From a Cybersecurity point of view, the more protections we have in our structures, better it will be for all of us, because, fewer problems we will have to solve. I also think that if we have custody of the company's network, regardless of whether it is an open network (HOTSPOT) or a server network, the hardening rules are created and defined by us. I also understand that it is humanly impossible for us to have a high degree of security at all perimeters, but as an specialist in this area, I know that, more layers of protection we have, will be better.
In the structure where I manage this network HOSTPOT, I have an NGF above RouteOS, and with the specific application blocking rules, I get a little more security in many points, not only in VPN APPS, but also in protocols, software and P2P ( TORRENT).
My purpose of this topic was to know if this application control that we find in an NGF, we can have inside a RouterOS.
you need an NGFW and pay for that device and their subscriptions, that's the way it works, mikrotik does not provide these features
Re: VPN APPs block on Mikrotik
How will blocking VPNs in any way improve security controls??I'm just trying to improve the security controls in my network. I'm referring to a public HOTSPOT network in this case, where I don't have control of the client's device, but I would like to restrict the network level (protocol) if possible,
Why do want "to restrict the network level (protocol) if possible"?
I'm just at a loss on how restricting VPNs will increase security on non-corporate devices...
This is one of the reasons I rarely use public WiFi...
-
-
marcelofares
Member Candidate
- Posts: 129
- Joined:
Re: VPN APPs block on Mikrotik
I would just like the rules of networks to be imposed on everyone, even on open networks, in which they are subject to fraud, because of VPN APPs, but I've seen that an NGW is needed for that.How will blocking VPNs in any way improve security controls??I'm just trying to improve the security controls in my network. I'm referring to a public HOTSPOT network in this case, where I don't have control of the client's device, but I would like to restrict the network level (protocol) if possible,
Why do want "to restrict the network level (protocol) if possible"?
I'm just at a loss on how restricting VPNs will increase security on non-corporate devices...
This is one of the reasons I rarely use public WiFi...
When I refer to imposed rules, it would be rules that the user connected to this open network, due to the fragility of the network protocols, do not circumvent the DNS blocking / filtering rules.
I can't be negligent and not worry about open networks, and only worry about server and corporate networks. It is also necessary to deploy as much protection as possible regardless of the type of network to work with, in the case of a public (open) network we are talking about.
Re: VPN APPs block on Mikrotik
DNS blocking/filtering rules do not work anymore even without VPN APP due to more and more devices/applications using DoH and thus circumventing your DNS resolver and related firewall rules.
Re: VPN APPs block on Mikrotik
Still.. Huh?
I would just like the rules of networks to be imposed on everyone, even on open networks, in which they are subject to fraud, because of VPN APPs, but I've seen that an NGW is needed for that.
When I refer to imposed rules, it would be rules that the user connected to this open network, due to the fragility of the network protocols, do not circumvent the DNS blocking / filtering rules.
I can't be negligent and not worry about open networks, and only worry about server and corporate networks. It is also necessary to deploy as much protection as possible regardless of the type of network to work with, in the case of a public (open) network we are talking about.
What fraud? If you don't control the devices, they are user/public devices, what control do you hope to have?
DNS blocking/filtering is already a losing battle with the DNS over HTTPS feature that normal browsers are using.
"When I refer to imposed rules, it would be rules that the user connected to this open network"
Why are you trying to impose rules on public WiFi? What rules? As I said, this is why I rarely use public WiFi..
"It is also necessary to deploy as much protection as possible regardless of the type of network to work with, in the case of a public (open) network we are talking about."
If your employees connect to a public WiFi with their laptops, would you want them to use a VPN to connect to work, to work on sensitive tasks? Why block others from the same?
As I said, this is why I rarely use public WiFi..
Who is online
Users browsing this forum: vitaliy91 and 85 guests